Business processes need to be audited periodically for legal, contractual and security reasons. Certification and accreditation assure trust by participants and oversight agencies alike. Regular audit is essential to security to insure that policies, however well documented, are actually carried out. Auditing business processes involves checking for compliance with pre-established procedures as well as for proper authorization of the entities or people who executed or had access to the various elements of the process and then analyzing and recording the results of these inquiries in some meaningful way. If the entire business process is carried out on a single software application or an integrated set of distributed applications from a single source, i.e., a single software company, the audit process is reasonably straightforward because it can be done within the context of a consistent set of formats and procedures that are established and vouched for by the software producer. Audit software exists today both at the level of the individual application and also at the business system level of an integrated set of distributed applications from a single manufacturer, for example, SAP's “Audit Information System.” However, business processes often span several applications from different manufacturers, each employing its own idiosyncratic procedures, nomenclature and formats. In this cross-application corporate landscape, performing a business process audit poses unique challenges that have not been met.
The problem is exacerbated where a given business process to be audited spans not only several different applications from different software providers but also multiple collaborating entities or enterprises, e.g., distinct but commonly-owned enterprises within a single corporate family environment, distinct noncommonly-owned corporations operating in a strategic alliance, partners in a joint venture or a supply chain including both suppliers and customers of a company with respect to a given product line. While these separate entities may all be involved in interrelated aspects of a single business process, e.g., a sales transaction, each entity may nonetheless constitute an independent regime from the security standpoint, e.g., having its own legacy controls and at least the potential capability of independent control, i.e. change, of the formats and procedures for its own information technology to suit its own perceived needs.
The only way in which cross-application business process audits can be carried out today in such an environment is to conduct audits of each application within each entity on an individual basis, taking into account the current respective set of applicable controls, procedures, formats, etc. and then to collect the necessary information for a particular business process from the various applications. An example of the collection approach is exemplified by Consul's eAudit” which is designed to collect and consolidate data from different sources. With existing tools, however, it is virtually impossible to trace and analyze cross-application business processes on systems provided by different manufacturers. Where the systems are operated by disparate enterprises within a single corporation or by different collaborating companies, it is even more difficult to coordinate and analyze the information from the individual audits in a way that warrants the trust of those who rely on the integrity of the business process as a whole.
Meanwhile, every day more and more business processes are moving to the Internet beyond the secure borders of in-house networks and intranets. As companies collaborate more frequently in e-business, open networks and cross-company business transactions are increasingly replacing monolithic, closed systems. Disparate applications maintained in different companies are being virtually extended beyond the secure confines of their respective in-house networks and combined to form efficient Web services. This type of collaboration obviously requires companies to exchange data beyond these secure environments. But by doing so, the collaborating enterprises surrender their unique control over the business process that enabled audit systems to thoroughly check the integrity of the system against established, well understood internal standards.